Showing posts with label Threat. Show all posts
Showing posts with label Threat. Show all posts

Monday 26 February 2024

27001 & climate change

Like other ISO management systems standards, ISO/IEC 27001:2022 has just been amended to incorporate two small wording changes:

  • “The organization shall determine whether climate change is a relevant issue” (clause 4.1);

  • “NOTE: Relevant interested parties can have requirements related to climate change.” (clause 4.2).

So, it is fair to ask what has climate change got to do with information risk and security? Is it even relevant? Having been been mulling that over for quite some while now, I've come up with a dozen points of relevance:



For more on those twelve, read "Secure the Planet".

The clock in that image is a reminder that time is pressing, so here are half-a-dozen things information risk and security professionals can do to help.

Friday 15 September 2023

Checklust security


"
Seventy Questions to Assess Cybersecurity Risk on a Rapidly Changing Threat Landscapeis an ISACA 'industry news' article by Patrick Barnett. 

Whereas normally I give 'industry news' and checklists a wide berth, Patrick is (according to the article) highly qualified and experienced in the field, so I took a closer look at this one. The prospect of condensing such a broad topic to a series of questions intrigued me. I'm not totally immune to the gleaming allure of well-conceived checklists.

Patrick says:

"There are 70 questions that can be asked to determine whether an enterprise has most defensive principles covered and has taken steps to reduce risk (and entropy) associated with cybersecurity. If you can answer “Yes” to the following 70 questions, then you have significantly reduced your cybersecurity risk. Even so, risk still exists, and entropy must be continuously monitored and mitigated. There is no specific number of layers that can remove all risk, just as there is nothing in the physical universe that does not experience entropy."
Hmmm. OK. Despite the definitive initial statement, I take that introduction as an implicit acknowledgement that there may be more than 70 questions ... and indeed many of the 70 are in fact compound/complex questions, such as "35. Do you prevent the disclosure of internal IP address and routing information on the Internet?" Most of us would instinctively answer "Yes" to that ... but look more closely: the question concerns "IP address" and "routing information", meaning both not either part. What qualifies as "routing information" anyway? And what about other network traffic apart from IP? What is 'disclosure'? What does Patrick mean by 'prevent'? And are we only concerned about 'the Internet'? If you are serious about addressing the information risks relating to NAT and all that (all that), you surely appreciate the naivete of question 35. If this is all Greek to you, maybe not. 

Monday 17 July 2023

Pro services under attack

Among all the other bad news in the excellent Cy-Xplorer 2023 report from Orange Cyberdefense, this nugget of threat intelligence poked me in the eye:



I've become increasingly concerned about the information risks relating to professional services in recent years. They seem obvious targets for malicious cyber attacks, given:

Friday 9 June 2023

Risk quantification - other factors (UPDATED)


The conventional focus of risk analysis is to examine the probability of incidents occurring, and their likely impacts if they do - and fair enough, those are obviously key factors ... but not the only ones. Additional factors to consider include:

  • Quality of information and analysis: risks that are commonplace and conventional are generally better understood than those which are novel or rare (such as AI risks, right now);

  • Volatility: if the threats, vulnerabilities and business are reasonably stable, the risks are more easily determined/predicted than if they are volatile, changing unpredictably;

  • Complexity: ugly, horrendously complicated risks are more likely to involve unrecognised interactions;

Friday 2 June 2023

A round dozen risk treatment options



I've been thinking about the 'treatment' phase of risk management lately. These are the four conventional and generally-accepted ways of treating (addressing) identified risks:

  1. Acceptance: living with the risk, hoping that it doesn't materialise;

  2. Avoidance: steering well clear of, or stopping, risky activities;

  3. Mitigation: reducing the probability and/or impact of incidents using various types of control;
     
  4. Sharing: with others, such as business partners, insurers and communities.

    However, it occurs to me that a further eight
    risk treatment approaches are possible, whether you
    consider them alternatives, variants or complementary:

  5. Procrastination: delaying decisions and actions ostensibly in order to understand risks and possible treatment options (which, meanwhile, implies risk acceptance). Speedy decision-making is an important part of effective

Thursday 25 May 2023

Novel insider threat

A post on LinkeDin this morning led me to a news piece about an IT professional's attempt to divert/steal his employer's payoffs for a ransomware infection, back in 2018.

According to the article, his attempt ultimately failed, largely due to his inept and naive execution ... but I have not come across this particular insider threat before. It was a new one on me, a man-in-the-middle attack layered on top of the ransomware.

Wednesday 26 April 2023

Using ChatGPT more securely

Clearly there are some substantial risks associated with using AI/ML systems and services, with some serious incidents having already hit the news headlines within a few months of the release of ChatGPT. However, having been thinking carefully and researching this topic for couple of weeks, I realised there are many more risks than the reported incidents might suggest, so I've written up what I found.

This pragmatic guideline explores the information risks associated with AI/ML, from the perspective of an organisation whose workers are using ChatGPT (as an example).  

Having identified ~26 threats, ~6 vulnerabilities and dozens of possible impactful incident scenarios, I came up with ~20 information security controls capable of mitigating many of the risks.

See what you make of it. Feedback welcome. What have I missed? What controls would you suggest? 

Sunday 2 April 2023

To what extent do you trust the robots?

This Sunday morning, fueled by two strong coffees, I'm cogitating on the issue of workers thoughtlessly disclosing all manner of sensitive personal or proprietary information in their queries to AI/ML/LLM systems and services run by third parties, such as ChatGPT.

This is clearly topical given :
(1) the deluge of publicity and chatter around ChatGPT right now, coupled with 
(2) our natural human curiosity to explore new tech toys, plus 
(3) limited appreciation of the associated information risks, and 
(4) the rarity of controls such as policies and Data Leakage Protection technologies. 

Furthermore, even if we do persuade our colleagues (and, let's be honest, ourselves!) to be more careful and circumspect about whatever we are typing or pasting into various online systems, the possibility remains that the general nature of our interests and queries is often sensitive.

Saturday 25 March 2023

Black hawk down ... but not out




I've long been fascinated by the concept of 'resilience', and surprised that so many people evidently misunderstand and misrepresent it ... so please bear with me as I attempt to put the record straight by explaining my fascination.

Resilience is not simply: 

  • Being secure
  • Being strong
  • Recovering effectively, efficiently or simply recovering from incidents
  • Avoiding or mitigating incidents
  • Any specific technical approach or system
  • Any particular human response, action or intent
  • A backstop or ultimate control
  • Heroic acts
  • A construct, something we design and build
  • Something that can simply be mandated or demanded
  • Specific to particular circumstances, situations or applications
It's bigger than any of those - in fact bigger than all of them, combined. Resilience is all of those, and more ...

Resilience is:

  • A general concept, a philosophy, a belief
  • An engineering and architectural approach

Tuesday 29 November 2022

Information risks a-gurgling

There are clearly substantial information risks associated with the redaction of sensitive elements from disclosed reports and other formats, risks that the controls don't necessarily fully mitigate.

Yes, controls are fallible and constrained, leaving residual risks. This is hardly Earth-shattering news to any competent professional or enlightened infidel, and yet others are frequently shocked. 

A new report* from a research team at the University of Illinois specifically concerns failures in the redaction processes and tools applied to PDF documents. The physical size of redacted text denoted (covered or replaced) with a variable-length black rectangle may give clues as to the original content, while historically a disappointing number of redaction attempts have failed to prevent the original information being recovered simply by removing the cover images or selecting then pasting the underlying text. Doh!

Monday 31 October 2022

Threat is ...


... "any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through
an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service" 
[source: NIST SP800-30r1]

... "a person, situation or event (whether deliberate or accidental, targeted
or generic in nature) that is hazardous or dangerous, capable of causing
an information security incident" [source: SecAware glossary]

... "potential cause of an unwanted incident, which can result in
harm to a system or organization" [source: ISO/IEC 27000:2018]

... a competitor's unexpected shift of tactics

... an ominous promise to cause harm

... an accident waiting to happen

... the cause of a really bad day

... nature red in tooth and claw

... storm clouds on the horizon

... an active component of risk

... an unfortunate coincidence

... sometimes hard to detect

... intended to provoke fear

... advanced and persistent

... go ahead, make my day

... mitigated by deterrents

... a laser dot on the torso

... a stated intent to harm

... the catalyst for change

... a burst of testosterone

... external to the system

... all mouth and trousers

... retarded and tentative

... not always recognised

... what might go wrong

... part of the landscape

... dark and foreboding

... obvious in hindsight

... economic downturn

... when luck runs out

... bad consequences

... competitive intent

... a ransom demand

... coming tooled-up

... potential to harm

... marauding gangs

... an implied attack

... easily discounted

... over-emphasised

... impending doom

... adverse weather

... lack of oversight

... a nasty promise

... a nasty surprise

... static discharge

... unpredictability

... a show of force

... not when but if

... not if but when

... something bad

... hard to control

... a warning sign

... Freddy Kruger

... worth ducking

... the unknown

... a probability

... best avoided

... an oversight

... a possibility

... a prediction

... provocative

... a likelihood

... xenophobia

... generalised

... unintended

... a certainty

... intentional

... theoretical

... the enemy

... hazardous

... bad actors

... existential

... accidental

... a warning

... deliberate

... menacing

... or else ...

... uncertain

... fearsome

... outsiders

... expected

... criminals

... technical

... for show

... ominous

... coercion

... volatility

... left-field

... demonic

... violence

... physical

... directed

... mythical

... genuine

... looming

... bravado

... a worry

... a pitfall

... insiders

... disease

... a bomb

... obvious

... a scowl

... a tactic

... assault

... human

... spooky

... feared

... failure

... 'them'

... anger

... death

... social

... scary

... fake

...

Monday 17 October 2022

Security awareness month


Since October is cybersecurity awareness month in the USA, we've seized the opportunity to update SecAware.com with additional information on our security awareness material. 

SecAware's information security awareness modules explore a deliberately wide variety of individual topics in some depth:

Saturday 21 May 2022

Responsible disclosure - another new policy

We have just completed and released another topic-specific information security policy template, covering responsible disclosure (of vulnerabilities, mostly).

The policy encourages people to report any vulnerabilities or other information security issues they discover with the organisation's IT systems, networks, processes and people. Management undertakes to investigate and address reports using a risk-based approach, reducing the time and effort required for spurious or trivial issues, while ensuring that more significant matters are prioritised.

The policy distinguishes authorised from unauthorised security testing, and touches on ethical aspects such as hacking and premature disclosure.

It allows for reports to be made or escalated to Internal Audit, acting as a trustworthy, independent function, competent to undertake investigations dispassionately. This is a relief-valve for potentially sensitive or troublesome reports where the reporter is dubious of receiving fair, prompt treatment through the normal reporting mechanism - for instance, reporting on peers or managers.

It is primarily intended as an internal/corporate security policy applicable to workers ... but can be used as the basis for something to be published on your website, aimed at 'security researchers' and ethical hackers out there. There are notes about this at the end of the template. To be honest, there are plenty of free examples on the web but few if any are policies covering vulnerability disclosure by workers.

All that in just 3 pages, available as an MS Word document for $20 from SecAware.com.

I am working on another 2 new topic-specific policies as and when I get the time. Paradoxically, it takes me longer to prepare succcinct policy templates than, say, guidelines or awareness briefings. I have to condense the topic down to its essentials without neglecting anything important. After a fair bit of research and thinking about what those essentials are, the actual drafting is fairly quick, despite the formalities. Preparing new product pages and uploading the templates plus product images then takes a while, especially for policies that relate to several others in the suite - which most do these days as the SecAware policy suite has expanded and matured. As far as I know, SecAware has the broadest coverage of any info/cybersec policy suite on the market.

... Talking of which, I plan to package all the topic-specific policies together as a bulk deal before long. Having written them all, I know the suite is internally consistent in terms of the writing style, formatting, approach, coverage and level. It's also externally consistent in the sense of incorporating good security practices from the ISO27k and other standards.

Wednesday 18 May 2022

Hacking the Microsoft Sculpt keyboard


In its infinite wisdom, Microsoft designed data encryption into the Sculpt wireless keyboard set to protect against wireless eavesdropping and other attacks. The keyboard allegedly* uses AES for symmetric encryption with a secret key burnt into the chips in the keyboard's very low power radio transmitter and the matching USB dongle receiver during manufacture: they are permanently paired together. The matching Sculpt mouse and Sculpt numeric keypad use the same dongle and both are presumably keyed and paired in the same way as the keyboard.

This design is more secure but less convenient than, say, Bluetooth pairing. The risk of hackers intercepting and successfully decoding my keypresses wirelessly is effectively zero. Nice! Unfortunately, the keyboard, keypad and mouse are all utterly dependent on the corresponding USB dongle, creating an availability issue. Being RF-based, RF jamming would be another availability threat. Furthermore, I'm still vulnerable to upstream and downstream hacking - upstream meaning someone coercing or fooling me into particular activities such as typing-in specific character sequences (perhaps cribs for cryptanalysis), and downstream including phishers, keyloggers and other malware with access to the decrypted key codes etc.

So yesterday, after many, many happy hours of use, my Sculpt's unreliable Ctrl key and worn-out wrist rest finally got to me. I found another good-as-new Sculpt keyboard in the junkpile, but it was missing its critical USB dongle. The solution was to open up both keyboards and swap the coded transmitter from the old to the new keyboard - a simple 20 minute hardware hack.

In case I ever need to do it again, or for anyone else in the same situation, here are the detailed instructions:

  1. Assemble the tools required: a small cross-head screwdriver; a stainless steel dental pick or small flat-head screwdriver; a plastic spudger or larger flat-head screwdriver (optional); a strong magnet (optional).
  2. Start with the old keyboard. Peel off the 5 rubber feet under the keyboard, revealing 5 small screws. Set the feet aside to reapply later.
  3. Remove all 5 screws. Note: the 3 screws under the wrist rest are slightly longer than the others, so keep them separate.
  4. Carefully ease the wrist rest away from the base. It is a 'snap-fit' piece. I found I could lever it off using my thumbs at the left or right sides, then gradually work around the edge releasing it. You may prefer to use the spudger. It will flex a fair bit but it is surprisingly strong.
  5. Under the wrist rest are another 16 little screws. Remove them all, including the two recessed screws near the hump/gap in the middle of the keyboard. Use the magnet to lift out the screws if that helps.
  6. Separate the base of the keyboard from the key unit by working right around the edge with the spudger, gently levering it apart. Like the wrist rest, it is a snap-fit and stronger than it looks. 
  7. As the two parts separate, gently pull the battery connector cable from the circuit board inside: it has a small white push-fit connector.
  8. Remove the two screws from the circuit board.
  9. Using the dental pick, ease the black plastic strip aside from the long white connector to release the ribbon cable pinched underneath.

  10. Remove the circuit board.
  11. Dismantle the newer keyboard in the same way.
  12. Replace the circuit board from the new keyboard with the circuit board from the old one.
  13. Replace the ribbon cable into the connector, then ease the black plastic strip back into place to hold it firm.
  14. Replace the two screws holding the circuit board.
  15. Put the two parts of the keyboard together, connecting the battery cable to the circuit board as you do. The white power plug is keyed and should only go in one way around as shown here, with the black wire closest to the black IC:

  16. Before proceeding, feel free to check that the new keyboard works with the original USB dongle.
  17. Complete the reassembly by snapping the two parts of the keyboard back together all the way around the edge. 
  18. Reinstall the 16 screws from under the wrist rest.
  19. Snap the wrist rest back into place, checking that it is fully home all the way around.
  20. Replace the 5 screws under the feet: remember those 3 longer ones under the wrist rest.
  21. Replace the feet.  If the glue isn't very sticky, apply fresh glue e.g. UHU clear adhesive, to avoid the keyboard becoming lopsided.
  22. Optionally, recover and save the screws, keycaps, plastic spring units, wrist rest and rubber feet from the old keyboard to repair/replace them on the new keyboard as they wear out (see below). Oh and those silver discs embedded in the black pastic base are strong magnets to hold the keyboard ramp in place: if you choose to recover them for other projects, you will need tools to break apart the dark grey ABS 'engineering plastic', knowing that it can fracture into sharp shards. Take care!
Being some of the most common letters in English, the AERT keys always seem to wear out fastest for me and the space key is noticeably shiny, along with the backspace for some raeson. After >4 decades' practice, I can almost touch-type so wearing away the key legends should not be a problem ... except when I'm tired and emotional anyway. More annoying are those few intermittent keys, caused by dirt getting under the keycaps and into the switches beneath. 
 
Also, the extra-wide keys on the Sculpt sometimes go wonky, staying down on one side or the otehr. Removing any of the keycaps is easy enough: lever up a corner using the dental pick, then lift the cap off using your fingernail. It is a snap-fit. Underneath, you'll find a distinctly unhygienic accumulation of dust, hair and al-desko lunch crumbs: brush them gently away, trying to avoid breathing in any more pathogens.
 
Here's the disgusting view under one of the well-used Ctrl keys:

 
A: One of two stainless steel support rods is held in this pair of metal loops, and is clipped to the keycap, keeping it level.
B: A smaller stainless steel rod fits to these loops, and is also clipped to the keycap. In this pic, I have put the dental pick tip through a loop from the opposite side.
C: These are plastic scissor-action 'springs' that also clip to the keycap (see below). They are small and fragile.
D: The key's microswitch is under this central silicone rubber dust cover. Check that the dustcover over the microswitch and any surrounding black rubber pad are intact and not torn. If they are, the keyboard is probably stuffed: dust will undoubtedly work its way in to interfere with the switch action, if it hasn't already.


If the 'springs' are in separate pieces or obviously broken, replace them with good ones of the same size from your stash of bits (step 22).
 
Being in two halves and even bigger than the Ctrl key, longer support rods under the space bar are attached either side:
 
 
Check that the plastic spring units (and support bars if applicable) are intact and in place. If these are broken or bent, replace them from your stash from the previous Sculpt keyboard (step 22), replace the metal bars into their hoops, then pop the keycaps into place and hope they work better now. Most of all, hope they work at all! If not, too bad. It is probably time to replace your worn-out keyboard after all.
 
 
* I say 'allegedly' because there is no easy way for me to check the claim. Doubtless with a little effort, I could monitor the RF transmissions and perhaps capture and decode the digital bit-stream, but then proving that the system is or is not using AES would be harder, practically impossible for me given my rudimentary knowledge of cryptanalysis.  I suppose I could check the randomness of the encrypted data statistically, looking for patterns that correlate with the letter frequencies. Message headers and structures might be clues. I could try brute force attacks ... or not bother.

Wednesday 11 May 2022

How many metrics?

While perusing yet another promotional, commercially-sponsored survey today, something caught my beady eye. According to the report, "On average, organizations track four to five metrics".  

Four to five [cybersecurity] metrics?!!  Really?  

Oh boy.

Given the importance, complexities and breadth of cybersecurity, how on Earth can anyone sensibly manage it with just four to five metrics? It beggars belief, particularly as the report indicates that three quarters of the 1,200 surveyed companies had at least a $billion in revenue, and more than half of them have at least 10,000 employees. With a total cybersecurity expenditure of $125billion (around 80% of the total global estimate), these were large corporations, not tiddlers.

The report indicates the corresponding survey question was "Q30. Which of the following cybersecurity metrics does your organization track, and which metrics are the most important?". Well OK, that's two questions in one, and 'the following cybersecurity metrics' are not stated.

Having been quietly contemplating that one remarkable, counter-intuitive finding for about an hour, I've thought up a bunch of potential explanations so far:

  1. The four to five cybersecurity metrics are just those considered 'key' by the CISOs and other senior people surveyed.
  2. The four to five are just the respondents' choices from the 16 metrics presumably offered in the question (we aren't told what metrics were offered in the question, but there are 16 listed in the report).
  3. Cybersecurity is not being managed sensibly.
  4. Cybersecurity is not being managed.
  5. Cybersecurity is not what I think it is - a neologism for IT security or more specifically Internet security protecting against deliberate, malicious attacks by third parties.
  6. CISOs and the like haven't got a clue what they are doing.
  7. Most CISOs and the like chose not to answer the question (of the 1,200 companies surveyed, we aren't told how many respondents answered this or indeed any other question: perhaps they were getting bored by question 30 of an unknown total).
  8. CISOs and the like simply lied, for some reason, or their responses were inaccurately/ineptly recorded.
  9. The word 'track' in the question strongly implies that the four to five metrics are measured and reported regularly, showing trends over time. Other metrics that are not 'tracked' in this way were not noted.
  10. The survey was ineptly designed, conducted, analysed and/or reported.
  11. The survey was non-scientific, biased towards the interests of the commercial sponsors (who, presumably, offer 'solutions' measured by the chosen metrics ...).
  12. The survey company is blatantly circulating misinformation, designed to mislead.
  13. I am misinterpreting the phrase. Perhaps 'On average' or 'metrics' mean something other than what I understand. 
  14. Perhaps 'four to five' is a transcription error: maybe the count was forty-five.
  15. I'm totally mistaken: it is possible to manage cybersecurity by tracking just four to five metrics. The finding is valid. I need to readjust my head.
  16. I'm seriously over-thinking this, putting far too much emphasis on those eight words taken out of context.
Of that list, while I'm happy to discount the patently ridiculous possibilities, I find it hard to choose between the remainder. I'm drawn inexorably back to something I have complained about previously here on the blog: I suspect that the report is merely another marketing exercise, not a properly designed and conducted scientific study. I find it lacks credibility and integrity, is untrustworthy, and hence is not worth any more of my time, or indeed yours - so I refuse to provide a link to the source.
 
4-0-4  Move along, nothing to see here.

Tuesday 10 May 2022

Threat intelligence policy

 

I finally found the time today to complete and publish an information security policy template on threat intelligence. 

The policy supports the new control in ISO/IEC 27002:2022 clause 5.7: 

"Information relating to information security threats should be collected and analysed to produce threat intelligence."

The SecAware policy template goes a little further: rather than merely collecting and analysing threat intelligence, the organisation should ideally respond to threats - for example, avoiding or mitigating them. That, in turn, emphasises the value of 'actionable intelligence', in the same way that 'actionable security metrics' are worth more than 'coffee table'/'nice to know' metrics that are of no practical use. The point is that information quality is more important that its volume. This is an information integrity issue, as much as information availability.

The policy also mentions 'current and emerging threats'. This is a very tricky area because novel threats are generally obscure and often deliberately concealed in order to catch out the unwary. Maintaining vigilance for the early signs of new threat actors and attack methods is something that distinguishes competent, switched-on security analysts from, say, journalists.

The policy template costs just $20 from www.SecAware.com. I'll be slaving away on other new policies this week, plugging a few remaining gaps in our policy suite - and I'll probably blog about that in due course.

Wednesday 13 April 2022

Domotics - a can-o-worms


This morning, I’ve been browsing and thinking about ISO/IEC 27403, a draft ISO27k standard on the infosec and privacy aspects of “domotics” i.e. IoT things at home.

 

Compared to a [reasonably well controlled] corporate situation, there are numerous ‘challenges’ (risks) in the home setting e.g.:

  • Limited information security awareness and competence by most people. IoT things are generally just black-boxes.
  • Ad hoc assemblages of networked IT systems - including things worn/carried about the person (residents and visitors) and work things, not just things physically installed about the home (e.g. smart heating controls, door locks and cat feeders).
  • Things are not [always] designed for adequate security or privacy since other requirements (such as low price and ease of use) generally take precedence. Finite processing and storage capacities, plus limited user interfaces, hamper/constrain their security capabilities.
  • Lack of processes for managing security and privacy systematically at home. If anything, activities tend to be ad hoc/informal and reactive rather than proactive.
  • Informality: the home is a relatively unstructured, unmanaged environment compared to the typical corporate situation. Few domotics users even consider designing a complete system, although certain aspects or subsystems may be intentionally designed or at least assembled for particular purposes (e.g. entertainment).
  • Dynamics and diversity: people, devices and services plus the associated challenges and risks, are varied and changeable. The home is a fairly fluid environment anyway, and innovation is driving the tech at quite a pace.
  • Limited ability to control who may be present in/near the home and hence may be interacting with IoT devices e.g. adult residents plus children, owners, visitors, installers, maintenance people, neighbours, intruders ...  Physically securing things against accidental or malicious interaction is difficult, while networking compounds the issue.
  • Limited ability to manage and control IoT device and service supply chains, as well as the installation, configuration, use, monitoring  and maintenance of devices and services, with little if any coordination among the parties.

Good luck to anyone seriously attempting to secure their own home, or for corporations concerned about securing their employees including home workers (execs and plebs) and an increasingly mobile and tooled-up workforce. 

For instance, I have only a rough idea of what IoT things are in my home, some of which are not mine and are not under my control. Security configuration is, at best, an ad hoc activity when (some) things turn up. Security monitoring and management (e.g. patching) are almost nonexistent, in practice. Being an infosec professional and geek, I do my level best to contain and protect work-related and personal info but it is hard going in such an open, dynamic and potentially hostile environment. “Zero trust” just about sums it up.

The practical limitations, in turn, open the door to all manner of mischief and misfortune.  It’s a veritable can-o-worms I tell you.